WAN traffic downloading at max rate w/ low traffic on LAN or DMZ
-
What could be going on? I have snort and squid running on 2.0.1; it happens about 20mins or so after reboot and seems like it only started maybe 2 days ago. I just killed the states and have been waiting for about 30 mins now and it just started again. I have snort running on both wan and lan with blocking enabled, but nothing seems to have triggered an alert.
Anyone have any ideas?
-
Is squid pre-loading its cache?
The pfSense shell command pftop can be used to display active states: type h once its running to see single letter commands to display state data. Two commands that might be useful: B to sort on bytes transferred and r to switch sort order (ascending to descending, descending to ascending).
The states might give some useful hints about what is happening.
-
Thanks for the reply wallabybob; I didn't set the cache to pre-load, so I don't think that would be the problem. I'll check the states more; I've looked at them, but not sure that I'm seeing anything weird other than one my switches is connecing to a 192.168.1.254 device for ntp. That doesn't make sense to me.
-
Seems like it ended up being a squid/windows updates configuration problem; thanks jimp for the help! So far things are calm. I'll keep my eye on it tonight.
-
Please post the details of your Windows Update / squid settings. I followed a pfsense doc somewhere on caching Windows updates in squid and saw the same thing you're describing. I ended up scrapping squid for other reasons but I may try it again at some point.